Greetings from Brussels!
Quite the week in Europe, as the Court of Justice of the European Union took center stage. It kicked off Monday in Luxembourg in a case involving the Belgian Data Protection Authority and Facebook regarding EU regulatory powers. Clearly at stake here for Facebook, and other tech giants by extension, is a court ruling that could lead to multiple legal actions and battles across the EU.
For background, the case before the CJEU came on the heels of a well-documented legal battle through the Belgian court system, which commenced back to 2015. This week the Belgian courts were seeking CJEU guidance on Facebook’s challenge against the territorial competence of the Belgian regulator’s bid to stop the company from tracking Belgian users — be they account holders or not — through cookies stored in social plug-ins.
Under the GDPR, Facebook’s legal team argued for the principle tenants of the one-stop-shop mechanism citing its core purpose to prevent fragmented enforcement. Facebook emphasized that EU rules of competence need to be upheld over the national courts and authorities. In short, they cautioned that legal chaos would ensue otherwise. The Belgian DPA retorted that the “GDPR does not say anywhere that the lead authority has exclusive competence and that the non-lead authority may not go to court.”
This is a tough call for the CJEU. If the Belgian DPA is successful in the ruling, it could become a field day for other national EU regulators to start similar proceedings aimed at any of the tech giants. Interestingly, the court will also have to assess whether the GDPR applies as the Belgian case predates the regulation being implemented. No doubt, the Irish Data Protection Commission — the lead regulator for Facebook — as well as the European Data Protection Board, will watch this case closely.
With the recent "Schrems II" ruling still very much at the fore for privacy pros, the CJEU also ruled this week to curtail indiscriminate surveillance by national EU governments to oblige big technology and telecoms service providers to store user data, including location data and metadata in the name of crime prevention and national security. The ruling confirmed that instead of being the norm, bulk retention of communications data should only be acted upon in the presence of a "serious threat" or a clear danger to national security. EU law precludes national member state law, and its provisions, such as proportionality, the fundamental rights to privacy, data protection and freedom of expression, should all be respected.
Where there is a present or imminent danger for national security reasons the court did rule that member states can derogate to limited and temporary bulk collection and retention but only to data sets that are strictly necessary. The same applies to the case of a threat to public security for serious crime prevention with additional safeguards and reviews by jurisdictional courts or independent authorities.
There are certainly several EU member state national security policies that will come under scrutiny with this latest ruling; France and Belgium spring to mind, where state surveillance powers are broad. The IAPP's Joe Duball reported on the potential implications for the ongoing adequacy talks between the EU and U.K. Critical to those discussions has to be the U.K.’s investigatory powers act passed in 2016, often referred to as the "snoopers" bill, which gives U.K. government agencies sweeping powers to intercept and retain digital communications. This latest ruling by the CJEU only reinforces that such powers need to be the exception and not the practice, not only in member states, but also for the U.K. as it becomes a "third country."
I recall the September article "Unspoken Truths about Schrems II" written by Eduardo Ustaran of Hogan Lovells in which he talks about “the natural and constant tension between the protection of privacy and the need for the state to access personal data to perform its functions.” This latest CJEU ruling only goes to amplify that constant struggle.